Developing Security Criteria for Your Procurement

Disclaimer: The following information and guidance has been provided for information purposes only and does not constitute legal advice. Readers should contact their own legal services with respect to developing specific requirements to ensure they are compliant with any applicable legal, regulatory or other requirements including international trade agreements.

The optimal time to incorporate security considerations into your procurement is prior to awarding a contract. Ideally, your RFP will include evaluation criteria related to matters of security. You may wish to incorporate such criteria (see below) as either mandatory or rated elements of your assessment, subject to any applicable laws, international trade agreements or policies which you may be obligated to follow. Institutions and their procurement officials are best suited to develop risk mitigation measures within an RFP.

Legal and Financial Standing Criteria

It can be important to consider who a bidder is when assessing risks to security. You may wish to consider including a requirement that a bidder be transparent in their financial position and legal relationship with other customers and governments, for example by requiring bidders identify:

1. If there are any active lawsuits against the bidder or its proposed suppliers, particularly if these are in relation to matters of security (i.e., instances of corporate espionage, financial fraud).

2. If the bidder has any active relationships or is in receipt of preferential treatment from a foreign government.

3. If the bidder can demonstrate alignment of security and supply chain assurance with a framework such as IT security risk management: A lifecycle approach (ITSG-33), NIST Special Publication 800-161 Rev. 1 Supply Chain Risk Management Practices for Federal Information Systems or ISO/IEC 27036-1:2021 Information Security for Supplier Relationships.

Subject to any applicable laws, agreements or policies of which you may be obligated to follow, you may wish to exclude bidders who exceed your procurement’s acceptable level of risk based on the answers to these criteria or even implement an automatic disqualification in the presence of certain high risk indicators.

Data and Information Protection Criteria

Setting up requirements for the storage and protection of sensitive information (e.g., personal data, research, and data on sensitive  or dual-use technologies) prior to bid award may help in the mitigation of risk. Requirements for your institution to be in control of the storage of any sensitive data can be situated contractually within the RFP. 

Consider asking how a bidder will be protecting your sensitive information, by having them provide information on:

1. Where data is stored (e.g., geographic location which may change the privacy, security, and data ownership laws and regulations applied to the data).

2. How data is transmitted (network considerations, what products it may be transferred through, and details of these products such as their purpose and manufacturer).

3. How data is data labelled/categorized according to its sensitivity.

4. What access controls and network management protocols exist.

5. What are their data retention policies, and if data retention requirements can be supported. 

6. What is the role of subcontractors in the storing, transmission, categorization or retention of data. 

In reviewing the answers to these questions, consider how a potential compromise of information could impact the data security interests of your institution, or even wider national security interests. You may wish to consider evaluating bidders on the information they provide and require they meet a certain threshold to qualify. 

You may also wish to consider clauses within the contract that enable you to specify the expected protections or minimum standards related to the above considerations, particularly around data and information protection. This includes, for example, clauses that enable your institution to review and evaluate the security and integrity of the goods and services to be procured, or to conduct security audits once procured. Within these clauses you may wish to consider the inclusion of situations that would warrant termination of the contract if security vulnerabilities or other security concerns are identified in these reviews. You may wish to consider these reviews on a set schedule, or should a certain change occur in the delivery of the good or service (i.e. a change in ownership of the vendor, change in headquarters of the vendor, etc.) 

For more guidance on the types of clauses you may wish to include in an RFP, the Canadian Centre for Cyber Security  can offer assistance. For research security advice for your specific project, you can also contact Public Safety’s Research Security Centre.